Skip Navigation
  1. BlackBerry Docs
  2. CylanceON-PREM
  3. Cylance ONPREM Administration Guide
  4. Configuring the console
  5. Policies
  6. Exclusions

Exclusions

All exclusions related to the policy are created using this feature.
Exclusion Setting
Description
Application Control Exclusion
Adding an application control exclusion allows application changes and additions to the specified folders. For Windows, use an absolute path, including the drive letter.
Example for Windows: C:\Application
External Device Exclusion List
Adding an external device exclusion allows the USB mass storage device to connect to a device.
  • Vendor ID (required) – Include the vendor ID for the USB mass storage device. One way to find the vendor ID is to connect the USB mass storage device to a test endpoint and view the ID in the
    CylanceON-PREM
     console.
  • Product ID – Include the product ID for the USB mass storage device. This is optional but can help make a more specific exception.
  • Serial Number – Include the serial number for the USB mass storage device. This is optional but can help make a more specific exception.
  • Comment – Include a comment about why the USB mass storage device is being allowed or blocked. This is optional.
  • Access (required) – Select this option to allow full access, read-only permissions, or to block the external device.
Memory Violation Exclusion
Adding a memory violation exclusion allows the specified file to run or be installed on any device assigned to the policy. The memory violation exclusion uses a relative file path.
Example for Windows: \Application\Subfolder\application.exe
Example for macOS (without spaces): /Applications/SampleApplication.app/Contents/MacOS/executable
Example for macOS (with spaces): /Applications/Sample Application.app/Contents/MacOS/executable
See Wildcards in memory violation exclusions for more information.
Policy Safe List
Adding a policy safe list exclusion means all agents assigned to the policy will treat the file as safe, even if
BlackBerry
 ranks it as unsafe or abnormal. This lets you allow a file to a group of devices but not for the rest of your organization.
  • SHA256 (required) – Include the SHA256 hash for the file you want to allow.
  • MD5 – Include the MD5 hash of the file. This is optional.
  • File Name – Include the filename of the file. This is optional.
  • Category (required) – Use this to categorize files to identify why it is allowed.
  • Reason (required) – Include a reason for allowing this file.
Script Exclusion
Adding a script exclusion allows scripts to run from the specified folder, including subfolders. Use the relative path to the folder.
Example for Windows: \Application\Subfolder\
Threat Exclusion
Adding a threat exclusion means the folder is excluded from background threat detection and file watcher. This includes subfolders.
For Windows, use an absolute path, including the drive letter. For macOS, use a relative path, escaping any spaces in the path.
Example for Windows: C:\Application
Example for macOS (without spaces): /Applications/SampleApplication.app
Example for macOS (with spaces): /Applications/Sample\ Application.app